Understanding Suspicious Activity: What MSBs Need to Know About Spotting, Documenting, and Reporting Red Flags

In the world of Anti-Money Laundering (AML) compliance, there’s one word that regulators, bankers, and law enforcement keep circling back to: suspicious. For Money Services Businesses (MSBs), understanding what qualifies as suspicious activity—and how to respond appropriately—can be the difference between a clean audit and serious regulatory consequences.

At ComplyCheck, we help MSBs do more than just follow the rules—we help them recognize what suspicious activity looks like in real time and implement a system that proves they’re taking it seriously. If you operate a check-cashing business, this guide will help you understand the expectations around suspicious activity and how to stay one step ahead.

What Is Suspicious Activity?

Suspicious activity refers to any transaction or pattern of behavior that doesn't seem to make normal business sense for the customer or the business type, or that appears designed to evade regulatory requirements. Importantly, it does not have to be criminal. You are not being asked to prove guilt—just to recognize that something doesn’t add up.

FinCEN and the IRS expect MSBs to exercise reasonable judgment. That means you don’t need to act like law enforcement, but you do need to be able to detect red flags and document what you see.

The most common question MSB owners ask is:

“How do I know if something is suspicious?”

The answer: Context is everything. A $5,000 check-cashing transaction might be totally normal for one customer and extremely suspicious for another. The more you understand your customers and their typical behavior, the easier it becomes to spot when something’s off.

Examples of Suspicious Activity in the MSB World

Suspicious activity can come in many forms, especially in check-cashing operations. Here are some examples that often raise concern:

• Structuring – Customers cashing checks in amounts just under the $10,000 CTR threshold across multiple days or locations.
• Third-Party Activity – A person cashing checks payable to multiple businesses, or checks from unrelated sources.
• Volume Spikes – A customer who normally cashes $50,000 per month suddenly brings in $300,000 with no explanation.
• Avoidance Behavior – Refusal to show ID, sudden resistance to completing required forms, or reluctance to discuss business operations.
• Offering Bribes or Excessive Tips – Customers offering cash or other items of value for employees to violate policies and procedures, regulations, and laws.
• Alteration of Transactions – A customer that, when told of a reporting or ID requirement, adjusts their transaction to an amount not meeting the threshold.
• Returned Check Patterns – A growing number of bad checks with no recovery or refusal to resolve negative balances.
• Check Types That Don’t Match the Business – For example, a construction business cashing government refund checks, or a trucking company with payroll checks payable to others.
• Signed-Over or Endorsed Checks – Even if technically allowed, these are a common red flag for regulators.

Recognizing suspicious activity starts with knowing your customer—their business model, transaction history, and what’s typical for their line of work. If something falls outside those boundaries, it may require closer scrutiny.

Structuring: The Most Common—and Most Enforced—Red Flag

Structuring, also known as smurfing, is the act of breaking up large transactions to avoid triggering the $10,000 Currency Transaction Report (CTR) requirement. In the MSB world, this might involve a customer bringing in several checks over multiple days, each just below $10,000.

Regulators use a 10-day rolling window to detect structuring. This means they’re not just looking at what happens in a single day—they’re watching for cumulative behavior across a full 10-day period.

Here’s the key: Structuring is often viewed as willful evasion. Even if the total dollar amount doesn’t reach $10,000 in a single day, if the pattern suggests the customer is trying to stay below the reporting threshold, it’s considered suspicious—and you may be required to file a Suspicious Activity Report (SAR).

ComplyCheck’s structuring detection tools help MSBs monitor customer behavior over rolling windows and flag possible structuring before it becomes a regulatory problem.

Document Everything (Even When You Don’t File a SAR)

Not every suspicious activity results in a SAR. But every suspicious activity should be documented. If a customer behaves oddly or something feels off about a transaction—even if you can’t quite put your finger on it—you should log the details internally.

This internal documentation becomes critical if regulators or auditors later ask why certain transactions didn’t result in a SAR. You’ll be able to show that you noticed the issue, evaluated it, and kept a record of your reasoning.

This kind of risk awareness shows regulators that your MSB is engaged in a true risk-based compliance program—not just checking boxes.

When Should an MSB File a SAR?

The SAR threshold for MSBs is $2,000 or more in suspicious transactions, whether it's a single transaction or a series of related ones. However, you can (and sometimes should) file SARs under that threshold when the circumstances demand it.

Important clarification:

While many MSBs believe SAR filing is always required, federal regulators do not mandate SAR filings for check-cashing businesses. However, some state regulators do. Even if not legally required in your jurisdiction, filing SARs is considered a best practice—especially when the activity could potentially support criminal conduct. SARs not only show proactive compliance but also provide valuable support to law enforcement efforts.

You’re expected to file a SAR if you detect:

• Possible structuring
• Signs of check fraud or forgery
• Transactions that don’t match the customer’s profile
• Repeated attempts to bypass your controls
• Any activity that appears to support illegal behavior (e.g., human smuggling, tax fraud, identity theft)

A good SAR contains detailed transaction information, a clear narrative explaining why it was filed, and, when possible, identifiers for the customer. Avoid vague language like “seemed suspicious.” Instead, clearly explain what was unusual and why it concerned you. And finally, never forget that the filing and details of a SAR is strictly confidential.  

Your AML Program Must Explain Your Suspicious Activity Reporting Process

A regulator reviewing your AML program will ask:

• Who is responsible for identifying suspicious activity?
• What happens when a red flag is raised?
• Who makes the decision to file (or not file) a SAR?
• How is that decision documented?

Your compliance manual should have these answers. If it doesn’t—or if the process isn’t followed—regulators may view your program as deficient, even if you filed a SAR properly.

ComplyCheck helps MSBs build SAR reporting processes that align with both federal expectations and the unique realities of running a check-cashing business.

Suspicious Activity Is a Process—Not a Panic

Many MSB owners are afraid of suspicious activity. Some ignore it, others overreact. The right approach is somewhere in between: create a reliable internal process, document what you see, and respond consistently.

Remember, regulators don’t expect perfection—but they do expect awareness and action. A business that demonstrates it is proactively managing risk will always fare better than one that pretends the risk doesn’t exist.

At ComplyCheck, we don’t just file SARs—we help you build systems that prevent problems, detect threats early, and respond in a way that satisfies regulators and banks alike.

Need Help Spotting or Documenting Suspicious Activity?

ComplyCheck has helped MSBs across the country design real-world suspicious activity procedures that don’t slow down their business—but do satisfy regulators. If you're unsure about what you're seeing, how to document it, or whether a SAR is needed, we can help.

Let’s talk.

📧 Email us at requests@complycheck.co or visit www.complycheck.co to get started.